The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-2091 | The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. | MEDIUM | Jul 11, 2022 | n/a |
| CVE-2022-2090 | The Discount Rules for WooCommerce WordPress plugin before 2.4.2 does not escape a parameter before outputting it back in an attribute of the plugin\'s discount rule page, leading to Reflected Cross-Site Scripting | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-1957 | The Comment License WordPress plugin before 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1956 | The Shortcut Macros WordPress plugin through 1.3 does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1951 | The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1937 | The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1933 | The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-1910 | The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1794 | The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1737 | Pyramid Solutions\' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner, are vulnerable to an out-of-bounds write, which may allow an unauthorized attacker to send a specially crafted packet that may result in a denial-of-service condition. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-1732 | The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1672 | The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2022-1599 | The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status (enabled, disabled) and more. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1576 | The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1546 | The WooCommerce - Product Importer WordPress plugin through 1.5.2 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1474 | The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1220 | The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-46741 | The basic framework and setting module have defects, which were introduced during the design. Successful exploitation of this vulnerability may affect system integrity. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2021-44222 | A vulnerability has been identified in SIMATIC eaSie Core Package (All versions < V22.00). The underlying MQTT service of affected systems does not perform authentication in the default configuration. This could allow an unauthenticated remote attacker to send arbitrary messages to the service and thereby issue arbitrary requests in the affected system. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-44221 | A vulnerability has been identified in SIMATIC eaSie Core Package (All versions < V22.00). The affected systems do not properly validate input that is sent to the underlying message passing framework. This could allow an remote attacker to trigger a denial of service of the affected system. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-41396 | Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2021-40012 | Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-39041 | IBM QRadar SIEM 7.3, 7.4, and 7.5 may be vulnerable to partial denial of service attack, resulting in some protocols not listening to specified ports. IBM X-Force ID: 214028. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2021-38289 | An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-36668 | URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2021-36667 | Command injection vulnerability in Druva inSync 6.9.0 for MacOS, allows attackers to execute arbitrary commands via crafted payload to the local HTTP server due to un-sanitized call to the python os.system library. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2021-36461 | An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2021-24655 | The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account. | MEDIUM | Jul 17, 2022 | n/a |
| CVE-2020-29505 | Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability. | MEDIUM | Jul 12, 2022 | n/a |
| CVE-2020-4159 | IBM QRadar Network Security 5.4.0 and 5.5.0 discloses sensitive information to unauthorized users which could be used to mount further attacks against the system. IBM X-Force ID: 174339. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2020-4157 | IBM QRadar Network Security 5.4.0 and 5.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174337. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2019-10800 | This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method. | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2017-20137 | A vulnerability was found in Itech B2B Script 4.28. It has been rated as critical. This issue affects some unknown processing of the file /catcompany.php. The manipulation of the argument token with the input 704667c6a1e7ce56d3d6fa748ab6d9af3fd7\' AND 6539=6539 AND \'Fakj\'=\'Fakj leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2017-20136 | A vulnerability classified as critical has been found in Itech Classifieds Script 7.27. Affected is an unknown function of the file /subpage.php. The manipulation of the argument scat with the input =51\' AND 4941=4941 AND \'hoCP\'=\'hoCP leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | MEDIUM | Jul 16, 2022 | n/a |
| CVE-2022-35410 | mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-35406 | A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-34914 | Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-34879 | Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. | MEDIUM | Jul 5, 2022 | n/a |
| CVE-2022-34829 | Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | MEDIUM | Jul 5, 2022 | n/a |
| CVE-2022-34306 | IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 229435. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-34160 | IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\'s Web browser within the security context of the hosting site. IBM X-Force ID: 229330. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-34151 | Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \'Sysmac Studio\' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller. | MEDIUM | Jul 5, 2022 | n/a |
| CVE-2022-34007 | EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry. | MEDIUM | Jul 8, 2022 | n/a |
| CVE-2022-33996 | Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the permissions of that previous user. | MEDIUM | Jul 7, 2022 | n/a |
| CVE-2022-33971 | Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program. | MEDIUM | Jul 5, 2022 | n/a |
| CVE-2022-33743 | network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. | MEDIUM | Jul 5, 2022 | n/a |
| CVE-2022-33738 | OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal | MEDIUM | Jul 6, 2022 | n/a |
| CVE-2022-33737 | The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password | MEDIUM | Jul 6, 2022 | n/a |
| CVE-2022-33680 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | MEDIUM | Jul 7, 2022 | n/a |
| CVE-2022-33208 | Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software \'Sysmac Studio\' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software \'Sysmac Studio\' and/or a Programmable Terminal (PT) to access the controller. | MEDIUM | Jul 5, 2022 | n/a |
